From aff9dd541d00451192e18d4302134f54e808be68 Mon Sep 17 00:00:00 2001
From: kevross33 <kevross33@gmail.com>
Date: Fri, 13 May 2016 15:48:46 +0100
Subject: [PATCH] Add in severity 1 sig for querying for logged in user

---
 modules/signatures/antivm_username.py | 30 +++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 modules/signatures/antivm_username.py

diff --git a/modules/signatures/antivm_username.py b/modules/signatures/antivm_username.py
new file mode 100644
index 0000000..2c7e45a
--- /dev/null
+++ b/modules/signatures/antivm_username.py
@@ -0,0 +1,30 @@
+# Copyright (C) 2016 Kevin Ross
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from lib.cuckoo.common.abstracts import Signature
+
+class AntiVMUsernameQuery(Signature):
+    name = "antivm_queries_username"
+    description = "Queries for the logged in username"
+    severity = 1
+    categories = ["AntiVM"]
+    authors = ["Kevin Ross"]
+    minimum = "1.3"
+    evented = True
+
+    filter_apinames = set(["GetUserNameA","GetUserNameW","GetUserNameExA","GetUserNameExW"])
+
+    def on_call(self, call, process):
+        return True